nix-bitcoin/modules/nix-bitcoin-services.nix

let
  defaultHardening = {
      PrivateTmp = "true";
      ProtectSystem = "full";
      ProtectHome = "true";
      NoNewPrivileges = "true";
      PrivateDevices = "true";
      MemoryDenyWriteExecute = "true";
      ProtectKernelTunables = "true";
      ProtectKernelModules = "true";
      ProtectControlGroups = "true";
      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
      LockPersonality = "true";
  };
in
{
  inherit defaultHardening;
  # node applications apparently rely on memory write execute
  nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
}
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`let`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`defaultHardening = {`
			`PrivateTmp = "true";`
			`ProtectSystem = "full";`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`ProtectHome = "true";`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`NoNewPrivileges = "true";`
			`PrivateDevices = "true";`
			`MemoryDenyWriteExecute = "true";`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`ProtectKernelTunables = "true";`
			`ProtectKernelModules = "true";`
			`ProtectControlGroups = "true";`
			`RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";`
			`LockPersonality = "true";`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`};`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`in`
			`{`
			`inherit defaultHardening;`
			`# node applications apparently rely on memory write execute`
			`nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`}`